Skip to main content
wcruvinel
Staff
wcruvinel
Staff
December 23, 2024

Technical Tip: VPN Autoconnect for Entra ID Users fails after upgrading to v7.6.1

  • December 23, 2024
  • 0 replies
  • 1677 views
Description

This article describes an issue where the FortiClient users encounter the error 'Credential or SSLVPN configuration is wrong. (-7200)'. This occurs after upgrading FortiOS to v7.6.1 and only affects remote FortiClient users who utilize the auto-connect feature to automatically connect to the VPN using Microsoft Entra ID credentials.
Scope

FortiGate v7.6.1.
Solution

After upgrading to v7.6.1, the auto-connect feature enabled for Entra ID users fails to function as expected, resulting in the error 'Credential or SSLVPN configuration is wrong. (-7200)':

 

The following logs are seen in the debug outputs:

 

[281:root:6d]SSL established: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
[281:root:6d]req: /remote/info
[281:root:6d]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
[281:root:6d]capability flags: 0x3cdf
[281:root:6d]req: /remote/saml/autoauth?type=azure
[281:root:6d]Content-Length n/a
[281:root:6d]Content-Length n/a
[282:root:6d]allocSSLConn:314 sconn 0x7f97856000 (0:root)
[282:root:6d]SSL state:before SSL initialization (10.10.10.10)
[282:root:6d]SSL state:fatal decode error (10.10.10.10)
[282:root:6d]SSL state:error:(null)(10.10.10.10)
[282:root:6d]SSL_accept failed, 1:unexpected eof while reading
[282:root:6d]Destroy sconn 0x7f97856000, connSize=0. (root)
[281:root:6d]SSL state:fatal decode error (10.10.10.10)

 

This issue has been resolved in FortiOS version 7.6.3.

 

Workarounds:

  1. Disable Azure Auto Login in FortiClient EMS:

    • Open the EMS profile.

    • Navigate to the Azure Auto Login settings.

    • Uncheck 'Enable Azure Auto Login'.

  2. Switch to External Browser Authentication:

    • Update the FortiClient configuration to use the external browser for Entra ID SSO authentication instead of Auto Login.

General debug information required by FortiGate TAC for investigation:

  1. Modify the log level to 'Debug' on FortiClient.
  2. Debugs on FortiGate:


diagnose debug application fnbamd -1
diagnose debug application sslvpn -1
diagnose debug application samld -1
diagnose debug console timestamp enable
diagnose debug enable

 

Reproduce the issue.


diagnose debug reset

 

  1. TAC Report:

 

execute tac report

 

  1. Configuration file of the FortiGate.
  2. Export the FortiClient logs as outlined in the article: Technical Tip: How to enable debug log in FortiClient and export the logs.
  3. Validate the status of a device's join to Azure Active Directory (AAD). Open a CMD with admin permission and run (save the output) on a Windows PC.

   

dsregcmd /status
    Terms & ConditionsAccessibility statement